Simple Setup
If you just need a public/private certificate pair, then you can use:
openssl req \ -newkey rsa:2048 \ -nodes -keyout private.pem \ -x509 \ -days 365 \ -out site.crt Copy to clipboard
Copy
Certificate Authority Method
If you also need to act as your own certificate authority that signed the certificate then...
Create your a private key for your certificate authority.
openssl genrsa -des3 -out ca.pem 2048 Copy to clipboard
Copy
Now create the public certificate for that certificate authority. This may be referred to as the "root certificate".
openssl req \ -x509 \ -new \ -nodes \ -key ca.pem \ -sha256 \ -days 1825 \ -out ca.crt Copy to clipboard
Copy
Now create a private certificate for your site:
openssl genrsa -out my.domain.com.pem 2048 Copy to clipboard
Copy
Now we need to create a "certificate signing request" to "give" to our CA to sign:
openssl req \ -new \ -key my.domain.com.pem \ -out certificate-request.csr Copy to clipboard
Copy
Now we hand that over to the certificate authority (which is ourselves), and they use it to create a public certificate for the site (which we hand back to ourselves).
However, first they (us) need to create a configuration file ( which tweaks the data within the generated certificate to state things like what the certificate can be used for:
editor configuration.ext Copy to clipboard
Copy
Fill it with the following, changing the DNS.1 value to whatever your site FQDN is:
authorityKeyIdentifier=keyid,issuer basicConstraints=CA:FALSE keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment subjectAltName = @alt_names [alt_names] DNS.1 = my.domain.com Copy to clipboard
@TODO - tutorial on all the options for this configuration file.
Now we have all of these files, we can finally use them to create the site certificate file:
openssl x509 \ -req \ -in certificate-request.csr \ -CA ca.crt \ -CAkey ca.pem \ -CAcreateserial \ -out my.domain.com.crt \ -days 365 \ -sha256 \ -extfile configuration.ext Copy to clipboard
Copy
Now you have all of your certificates. If you use Apache, you will need the three files:
- ca.crt - the certificate authorities public certificate.
- site.crt - the public certificate for our site.
- site.pem - the private key for our site
If you are using Nginx, you need to bundle the ca.crt and site.crt files together:
cat my.domain.com.crt > bundle.crt cat ca.crt >> bundle.crt Copy to clipboard
Copy
... so then you only need:
- site.pem - your site's private certificate file
- bundle.crt - a single public certificate file representing your site and the certificate authority.